linux命令：制作CA证书生成及签核，openssl协议

openssl命令简介：

  SSL是Secure Sockets Layer（安全套接层协议）的缩写，可以在Internet上提供秘密性传输。Netscape公司在推出第一个Web浏览器的同时，提出了SSL协议标准。其目标是保证两个应用间通信的保密性和可靠性,可在服务器端和用户端同时实现支持。已经成为Internet上保密通讯的工业标准。

  SSL能使用户/服务器应用之间的通信不被攻击者窃听，并且始终对服务器进行认证，还可选择对用户进行认证。SSL协议要求建立在可靠的传输层协议(TCP)之上。SSL协议的优势在于它是与应用层协议独立无关的，高层的应用层协议(例如：HTTP，FTP，TELNET等)能透明地建立于SSL协议之上。SSL协议在应用层协议通信之前就已经完成加密算法、通信密钥的协商及服务器认证工作。在此之后应用层协议所传送的数据都会被加密，从而保证通信的私密性。

1．命令格式：

  OpenSSL [选项][文件] 

2．命令功能：

  OpenSSL是多用途命令行工具，实现私有证书颁发机构.

3．命令参数：

Standard commands 

asn1parse  ca  cipherscrl  crl2pkcs7  dgst   dh  dhparamdsa  dsaparam  
enc  engine  errstr  gendh  gendsa genrsa  nseq   ocsp   passwd pkcs12  
pkcs7  pkcs8  prime  rand   req  rsa  rsautl  s_client s_server  s_time  
sess_id smime  speed  spkac  verify version x509   

Message Digest commands (see the `dgst' command for more details)
md2  md4  md5  rmd160 sha  sha1   

Cipher commands (see the `enc' command for more details)
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb aes-256-cbc 
aes-256-ecb base64  bf  bf-cbc  bf-cfb  
bf-ecb  bf-ofb  cast   cast-cbc cast5-cbc  
cast5-cfb  cast5-ecb  cast5-ofb  des  des-cbc
des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb 
des-ede-ofb des-ede3  des-ede3-cbc  des-ede3-cfb  des-ede3-ofb  
des-ofb des3   desx   rc2  rc2-40-cbc
rc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb 

4．使用实例：

 实例1.使用openssl speed 加密算法：显示openssl加密算法的速度

[root@localhost ~]# openssl speed 显示所有加密算法加密不同大小的数据所需的时间

Doing md2 for 3s on 16 size blocks: 394412 md2's in 2.98s

Doing md2 for 3s on 64 size blocks: 203352 md2's in 2.98s

Doing md2 for 3s on 256 size blocks: 69077 md2's in 2.98s

......

Doing md4 for 3s on 64 size blocks: 8383499 md4's in 2.97s

[root@localhost ~]# openssl speed des 显示des加密算法的加密不同大小的数据需要的时间

Doing des cbc for 3s on 16 size blocks: 9097196 des cbc's in 2.71s

Doing des cbc for 3s on 64 size blocks: 2466820 des cbc's in 2.74s

.......

Doing des cbc for 3s on 256 size blocks: 635165 des cbc's in 2.79s

Doing des cbc for 3s on 1024 size blocks: 192194 des cbc's in 3.00s

 实例2.使用openssl enc 加密文件：通过enc进行加密

    参数： -e：加密    -d：解密    -a：以base流形式加密（默认选项）

        -in：需要加密的文件   -out：加密后输出的文件  -des3：加密算法

        -salt：杂质（盐）

[root@johntest ~]# ls
anaconda-ks.cfg  Desktop  grub.conf  inittab  install.log  install.log.syslog
[root@johntest ~]# openssl enc -des3 -salt -a -in inittab -out inittab.des3  加密文件
enter des-ede3-cbc encryption password:
Verifying - enter des-ede3-cbc encryption password:
[root@johntest ~]# ls
anaconda-ks.cfg  Desktop  grub.conf  inittab  inittab.des3  install.log  install.log.syslog

[root@johntest ~]# mv inittab inittab.bk

[root@johntest ~]# cat inittab.des3 
U2FsdGVkX19G5XhZb/jjhqwbvAaPBz2sgpsqfl6PlkqPR/0SO13ejnBHqTJYewiQ
7FnG4an4QQZY4kaVwhs858Y4ic6KL1seXsvwtIW+BqL+woiVJH0fRFRFLzv6a5na
... (省略35行)
[root@johntest ~]# openssl enc -des3 -d -salt -a -in inittab.des3 -out inittab  解密文件
enter des-ede3-cbc decryption password:
[root@johntest ~]# ls
anaconda-ks.cfg  Desktop  grub.conf  inittab  inittab.bk  inittab.des3  install.log  install.log.syslog

 实例3.使用md5sum及openssl dgst -md5加密文件

[root@johntest ~]# md5sum inittab   #提取特征码
92a39a223f68e67e9e6c412443851aeb  inittab
[root@johntest ~]# sha
sha1hmac    sha224sum   sha256sum   sha384sum   sha512sum   
sha1sum     sha256hmac  sha384hmac  sha512hmac  
[root@johntest ~]# sha1sum inittab     #同一文件的相同算法的特征码一样 
78ef239097844c223671e99a79d6b533dced8d3b  inittab
[root@johntest ~]# openssl dgst -sha1 inittab
SHA1(inittab)= 78ef239097844c223671e99a79d6b533dced8d3b
[root@johntest ~]# openssl dgst -md5 inittab
MD5(inittab)= 92a39a223f68e67e9e6c412443851aeb
[root@johntest ~]# 

 实例4.使用openssl passwd生成有杂质的密码  salt：杂质（盐）

[root@johntest ~]# openssl passwd -1
Password: 
Verifying - Password: 
$1$H9SmHH0L$me6ujflYKSj6/XsM9I0XQ/
[root@johntest ~]# openssl passwd -1   #两次指定salt随机生成不一样 
Password: 
Verifying - Password: 
$1$kY5RDrYX$MEU5eW3HHVXcDlfhUmrJ/1 
[root@johntest ~]# openssl passwd -1 -salt kY5RDrYX     #指定salt生成的密码一样
Password: 
$1$kY5RDrYX$MEU5eW3HHVXcDlfhUmrJ/1
[root@johntest ~]# 

 实例5.使用openssl rand生成随机密码

[root@johntest ~]# openssl rand -base64 12   #生成12位的随机数 
7nYC9UjBQYR6FFaD
[root@johntest ~]# openssl rand -base64 12
VgxBw3ZJUUxlZF0F
[root@johntest ~]# openssl rand -base64 16
20noIYaMsnO7mSPypsUHjQ==
[root@johntest ~]# 

 实例6.使用openssl genrsa生成指定长的对称密钥

[root@johntest ~]# (umask 077;  openssl genrsa -out server512.key 512) 直接输出一个大小为512权限为700                                       的server512.key密钥文件
Generating RSA private key, 512 bit long modulus
.........++++++++++++
......................++++++++++++
e is 65537 (0x10001)

[root@johntest ~]# ll server5*
-rw------- 1 root root 493 Dec 10 13:45 server512.key

[root@johntest ~]# openssl rsa -in server512.key -pubout 从server512.key文件读出私钥，-pubout生成公钥
writing RSA key
-----BEGIN PUBLIC KEY-----
MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMMjJyeTc0nIoHIrJqzC//CQ4Ca32TCn
8TQdC4VrnmhMv8o1I70UlY3pghalb+21APl3gNA6AKFtAN3BdtpcAt8CAwEAAQ==
-----END PUBLIC KEY-----
[root@johntest ~]# cat server512.key 
-----BEGIN RSA PRIVATE KEY-----
MIIBOgIBAAJBAMMjJyeTc0nIoHIrJqzC//CQ4Ca32TCn8TQdC4VrnmhMv8o1I70U
lY3pghalb+21APl3gNA6AKFtAN3BdtpcAt8CAwEAAQJABSm68XsfQ8aBKEQoA84t
A2px49RddMIcyaozEdalHFFPrd6X85HuPvDiOd5urA296WYbfOZnPNVtCPOGyQId
gQIhAPBxohtu6yOnYw7uLYFo3prMSjhqdcG58lB/LQbmN5rhAiEAz8MgfmO77THy
pFt0A2lQ8RSqpF+U+2ZZDCSfsk+LFb8CIG7E6tmYj9stEgWe1Hf5yBOoacjzwqws
7eUHscar6JIBAiEAtGNRJSvnES0a5cVZ11RrqMYu2wT6T8Uvb7GkzqbttfUCIDCv
OvZmqJOxcrRVg+5EXdKn2VMCoj2pE/UMqoufNUO9
-----END RSA PRIVATE KEY-----
[root@johntest ~]# 

 实例7.生成自签署证书

[root@johntest ~]# openssl req -new -x509 -key server512.key -out server.crt -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN  
State or Province Name (full name) [Berkshire]:Jiangsu  
Locality Name (eg, city) [Newbury]:Kunshan
Organization Name (eg, company) [My Company Ltd]:Fox    
Organizational Unit Name (eg, section) []:Tech
Common Name (eg, your name or your server's hostname) []:ca.johntest.com
Email Address []:caadmin@johntest.com
[root@johntest ~]# ll server.crt 
-rw-r--r-- 1 root root 1115 Dec 10 13:54 server.crt   #自签署证书 
[root@johntest ~]# cat server.crt 直接查看证书内容
-----BEGIN CERTIFICATE-----
MIIDCzCCArWgAwIBAgIJAIwFOSD6/zYRMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYD
VQQGEwJDTjEQMA4GA1UECBMHSmlhbmdzdTEQMA4GA1UEBxMHS3Vuc2hhbjEMMAoG
...
-----END CERTIFICATE-----
[root@johntest ~]# openssl x509 -text -in server.crt  通过文本方式查看证书内容
Certificate:
    Data:
        Version: 3 (0x2)    #证书版本号
        Serial Number:   #证书序列号 
            8c:05:39:20:fa:ff:36:11
        Signature Algorithm: sha1WithRSAEncryption   #证书颁发机构信息 
        Issuer: C=CN, ST=Jiangsu, L=Kunshan, O=Fox, OU=Tech, CN=ca.johntest.com/emailAddress=caadmin@johntest.com
        Validity       #证书有效期 
            Not Before: Dec 10 05:54:21 2016 GMT
            Not After : Dec 10 05:54:21 2017 GMT
        Subject: C=CN, ST=Jiangsu, L=Kunshan, O=Fox, OU=Tech, CN=ca.johntest.com/emailAddress=caadmin@johntest.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (512 bit)
                Modulus (512 bit):
                    00:c3:23:27:27:93:73:49:c8:a0:72:2b:26:ac:c2:
                    ff:f0:90:e0:26:b7:d9:30:a7:f1:34:1d:0b:85:6b:
                    9e:68:4c:bf:ca:35:23:bd:14:95:8d:e9:82:16:a5:
                    6f:ed:b5:00:f9:77:80:d0:3a:00:a1:6d:00:dd:c1:
                    76:da:5c:02:df
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                6B:7E:CC:25:99:50:72:FB:AC:DF:9D:3E:05:4B:DF:0A:F8:EA:D2:E6
            X509v3 Authority Key Identifier:  
                keyid:6B:7E:CC:25:99:50:72:FB:AC:DF:9D:3E:05:4B:DF:0A:F8:EA:D2:E6
                DirName:/C=CN/ST=Jiangsu/L=Kunshan/O=Fox/OU=Tech/CN=ca.johntest.com/emailAddress=caadmin@johntest.com
                serial:8C:05:39:20:FA:FF:36:11

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption   #签名信息 
        58:ab:e1:5f:5a:e3:d4:d1:cc:c3:60:f2:2d:74:58:3b:a0:e4:
        86:5d:5a:be:28:53:bf:ad:2a:69:44:ce:75:c7:23:7a:c2:9e:
        55:4b:96:3e:9a:04:1c:64:f9:c2:bc:a7:99:3c:96:fc:69:9d:
        5a:fc:92:71:60:33:ca:d4:47:00
-----BEGIN CERTIFICATE-----
MIIDCzCCArWgAwIBAgIJAIwFOSD6/zYRMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYD
VQQGEwJDTjEQMA4GA1UECBMHSmlhbmdzdTEQMA4GA1UEBxMHS3Vuc2hhbjEMMAoG
...
-----END CERTIFICATE-----
[root@johntest ~]# 

 openssl实现私有CA：

  1、生成一对密钥（openssl genrsa） 

  openssl genrsa -out /PATH/TO/keyfilename numbits 生成私钥文件keyfilename 长度为：numbits

  openssl rsa -in /PATH/TO/keyfilename -pubout 生成跟私钥keyfilename对应的公钥

  2、生成自签署证书（openssl rsq）

 * 实例8.在本机创建自签署证书服务器

[root@johntest ~]#  vi /etc/pki/tls/openssl.cnf   #红色为已修改默认值

dir             = /etc/pki/CA       #证书工作目录

certs           = $dir/certs         #证书保存的位置
crl_dir         = $dir/crl            #证书吊销列表路径
database        = $dir/index.txt         #给那些用户发证书的信息 

#unique_subject = no         # Set to 'no' to allow creation of

                      # several ctificates with same subject.

new_certs_dir   = $dir/newcerts      # 新生成证书路径

certificate    = $dir/cacert.pem     #自己生成的证书

serial       = $dir/serial        # 证书系列号

crlnumber     = $dir/crlnumber      # 证书吊销列表工作号

                           # must be commented out to leave a V1 CRL

crl             = $dir/crl.pem          # 证书吊销列表工作文件

private_key     = $dir/private/cakey.pem  # CA自己的私钥文件

RANDFILE        = $dir/private/.rand    # private random number file

x509_extensions = usr_cert              # The extentions to add to the cert

# Comment out the following two lines for the "traditional"

# (and highly broken) format.

name_opt        = ca_default            # Subject Name options

cert_opt        = ca_default            # Certificate field options

default_days    = 3650                  # 证书有效期天数

default_crl_days= 30                    # how long before next CRL

default_md      = sha1                  # which md to use.

preserve        = no                    # keep passed DN ordering

[ req_distinguished_name ]

countryName                     = Country Name (2 letter code)

countryName_default              = CN 国家

countryName_min                 = 2

countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)

stateOrProvinceName_default        = Jiangsu   省份

localityName                 = Locality Name (eg, city)

localityName_default            = Kunshan  城市

0.organizationName           = Organization Name (eg, company)

0.organizationName_default      = Fox  公司

organizationalUnitName          = Organizational Unit Name (eg, section)

organizationalUnitName_default    = Tech  部门，默认该行被注释掉，把#去掉即可

[root@johntest ~]# openssl version   查看openssl版本 
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

[root@test ~]# cd /etc/pki/CA/   切换到CA目录
[root@test CA]# ls
private
[root@test CA]# (umask 077;  openssl genrsa -out private/cakey.pem 2048)  生成私钥且权限为700，-out                           保存在当前目录下pribate目录下，名称为cakey.pem,长度为2048
Generating RSA private key, 2048 bit long modulus
..+++
...............................+++
e is 65537 (0x10001)
[root@test CA]# ll private/
total 4
-rw------- 1 root root 1679 Dec 10 14:48 cakey.pem
[root@test CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem 生成一个以cakey.pem私钥                                  相对应的自签公钥文件cacert.pem

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Jiangsu]:
Locality Name (eg, city) [Kunshan]:
Organization Name (eg, company) [Fox]:
Organizational Unit Name (eg, section) [Tech]:
Common Name (eg, your name or your server's hostname) []:ca.johntest.com
Email Address []:caadmin@johntest.com

[root@test CA]#mkdir certs newcerts crl  创建certs newcerts crl目录

[root@test CA]# touch index.txt   
[root@test CA]# echo 01 > serial  #下一个证书编号为01
[root@test CA]# ls
cacert.pem  certs  crl  index.txt  newcerts  private  serial

[root@test CA]# cd /etc/httpd/  切换到httpd目录

在HTTP里新建一个SSL:

[root@test httpd]# mkdir ssl
[root@test httpd]# cd ssl
[root@test ssl]# pwd
/etc/httpd/ssl
[root@test ssl]#(umask 077; openssl genrsa -out httpd.key 1024) 生成httpd自己的私钥文件
Generating RSA private key, 1024 bit long modulus
..........................++++++
...........++++++
e is 65537 (0x10001)
[root@test ssl]# cat httpd.key 
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDKxLVn2vx3xpl0pwFcfvgMCjfOVvhcNFCrQ0tG+XWtl9eXfohC
Y9j+WiKC9cyMdUovyr9VmweUdXON3foFhIm7+VkSma7c5ixuQuGvh4HKSDrG6g9W
U9gdpEa9BA1RyCoRWXo7fAb73/IAyqRoJAaqEXG2wnVzyUunCaieIgsmEwIDAQAB
AoGBAMc/Wn7OOg48kiiFvxm0DmxOUh4pae243pgcDUmV8iP9tDVCegS69syhp44G
mNRgoOCrmy40o9MnQsBiIr/vSCM0usYwdkz9TcKHND1Ime+3gQCRfbbnFQetF5dh
LMDvIYiQhvSY0qpikMhP/pJV0A/1JJabkV/k4N3U4GoZ+WjxAkEA8krkLa2gh02n
H7Kc7MCyxfo1TWb/ZwwaN031i1COO9CU1YoqhUPaNxdP3gzZaZWMrYOlw1Yguv1I
C5XB5i6rKQJBANY9ZC6JvzhsRLj+rStmTPMqV9ODsssGFJD6blYVuY0QMEZCnHSF
alhza1/q4XiNEccmMYd023r4OrEaw1r6KtsCQGHdPBLzKX7dL57O/zFlmA/9QyBT
dN/DdKdX9tDhpcGlOyiRWSFgybgs01amK/7Ip/zByud+V1QPz9TWFW6K9RkCQAff
/9O6Gn5PdIM8UU88Fm4Fy26p86OE2LKvkei2KbjmtG+QuUGLOeqAa5z9/EW7IcEp
RT7Oa9bsUvP5oN6yPWsCQQDTpEwskF2NIuPj5s1ke2Q+okmoGiWClLcGaYiCVzJm
DgIwxIU/hTe3KQCXIY+PEAypp5yLbmSgqXBNO3d0/TuM
-----END RSA PRIVATE KEY-----
[root@test ssl]# 

[root@test ssl]# openssl req -new -key httpd.key -out httpd.csr 以httpd.key私钥文件生成签核申请文件
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Jiangsu]:
Locality Name (eg, city) [Kunshan]:
Organization Name (eg, company) [Fox]:
Organizational Unit Name (eg, section) [Tech]:
Common Name (eg, your name or your server's hostname) []:www.johntest.com
Email Address []:wwwadmin@johntest.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []::                 #密码为空（不用加密私钥) 
An optional company name []:
[root@test ssl]# ls
httpd.csr  httpd.key
[root@test ssl]# openssl ca -in httpd.csr -out httpd.crt -days 365  签核证书申请

Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Dec 10 08:26:36 2016 GMT
            Not After : Dec 10 08:26:36 2017 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Jiangsu
            organizationName          = Fox
            organizationalUnitName    = Tech
            commonName                = www.johntest.com
            emailAddress              = wwwadmin@johntest.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                78:00:55:EA:DC:3B:E1:07:32:05:C3:8E:A8:26:C6:4A:1B:32:8F:31
            X509v3 Authority Key Identifier: 
                keyid:F1:D0:03:45:E8:51:8E:AE:6C:87:CC:38:ED:9F:43:C2:D1:6E:46:42
Certificate is to be certified until Dec 10 08:26:36 2017 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@test ssl]# cd /etc/pki/CA/
[root@test CA]# cat index.txt
V    171210082636Z        01    unknown    /C=CN/ST=Jiangsu/O=Fox/OU=Tech/CN=www.johntest.com/emailAddress=wwwadmin@johntest.com

[root@test CA]# cat serial     #下一个发证序号
02

 实例9.快速生成测试用证书

[root@test tls]# ls
cert.pem  certs  misc  openssl.cnf  private
[root@test tls]# cd certs/
[root@test certs]# ls
ca-bundle.crt  make-dummy-cert  Makefile
[root@test certs]# make httpd.pem
umask 77 ; \
    PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
    PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
    /usr/bin/openssl req -utf8 -newkey rsa:1024 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 -set_serial 0 ; \
    cat $PEM1 >  httpd.pem ; \
    echo ""    >> httpd.pem ; \
    cat $PEM2 >> httpd.pem ; \
    rm -f $PEM1 $PEM2
Generating a 1024 bit RSA private key
..++++++
......++++++
writing new private key to '/tmp/openssl.F15890'
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Jiangsu]:
Locality Name (eg, city) [Kunshan]:
Organization Name (eg, company) [Fox]:
Organizational Unit Name (eg, section) [Tech]:
Common Name (eg, your name or your server's hostname) []:www.johntest.com
Email Address []:wwwadmin@johntest.com
[root@test certs]# ls
ca-bundle.crt  httpd.pem  make-dummy-cert  Makefile
[root@test certs]# vi Makefile   #可参考此文件写相关命令

本文转自wang650108151CTO博客，原文链接：http://blog.51cto.com/woyaoxuelinux/1888501 ，如需转载请自行联系原作者